Navigation

Gate One is an open source, web-based terminal emulator with a powerful plugin system. It comes bundled with a plugin that turns Gate One into an amazing SSH client but Gate One can actually be used to run any terminal application. You can even embed Gate One into other applications to provide an interface into serial consoles, virtual servers, or anything you like. It's a great supplement to any web-based administration interface.

Gate One works in any browser that supports WebSockets. No browser plugins required!

The AGPLv3 is similar to the GPLv3 in that it requires that you publicly release the source code of your application if you distribute binaries that use Gate One. However, it has an additional obligation: You must make your source code available to everyone if your application is provided as Software-as-a-Service (SaaS) or it's part of an Application Service Provider solution.

For example, if you're running Gate One on your server as part of a SaaS solution you must give away all of your source code.

Here are some examples where Open Source licensing makes sense:

Pre-installing Gate One as part of an open source Linux distribution.

Embedding Gate One into an open source application that is licensed under the AGPLv3 or the GPLv3 [1].

Bundling Gate One with an open source appliance.

Making Gate One available as part of an open source software repository.

Considerations: Unless you want your source code to be freely available to everyone you should opt for Gate One's Commercial License.

The Commercial License offerings for Gate One are very flexible and afford businesses the opportunity to include Gate One as part of their products and services without any source code obligations. It also provides licensees with a fully-supported solution and assurances.

Here are some examples where commercial licensing is typically necessary:

Including Gate One in software sold to customers who install it on their own equipment.

Selling software that requires the installation of Gate One.

Selling hardware that comes with Gate One pre-installed.

Bundling with or including Gate One in any product protected by patents.

Even if you don't plan to embed Gate One into one of your own products, enterprise support options available.

For more information on Gate One Commercial Licensing and support please visit our website.

If using Python 2.6 you'll need to install the ordereddict module: sudopipinstallordereddict or you can download it here. As of Python 2.7 OrderedDict was added to the collections module in the standard library.

The following commands can be used to verify which version of each are installed:

Addditionally, if you wish to use Kerberos/Active Directory authentication you'll need the python-kerberos module. On most systems both Tornado and the Kerberos module can be installed with via a single command:

Gate One can be installed via a number of methods, depending on which package you've got. Assuming you've downloaded the appropriate Gate One package for your operating system to your home directory...

These options match up directly with Gate One's command line options which you can view at any time by executing "gateone.py --help":

root@host:~ $ ./gateone.py --help
Usage: ./gateone.py [OPTIONS]
Options:
--help show this help information
--log_file_max_size max size of log files before rollover
--log_file_num_backups number of log files to keep
--log_file_prefix=PATH Path prefix for log files. Note that if you are running multiple tornado processes, log_file_prefix must be different for each of them (e.g. include the port number)
--log_to_stderr Send log output to stderr (colorized if possible). By default use stderr if --log_file_prefix is not set and no other logging is configured.
--logging=debug|info|warning|error|none Set the Python log level. If 'none', tornado won't touch the logging configuration.
./gateone.py
--address Run on the given address. Default is all addresses (IPv6 included). Multiple address can be specified using a semicolon as a separator (e.g. '127.0.0.1;::1;10.1.1.100').
--auth Authentication method to use. Valid options are: none, api, google, kerberos, pam
--certificate Path to the SSL certificate. Will be auto-generated if none is provided.
--command Run the given command when a user connects (e.g. '/bin/login').
--config Path to the config file. Default: /opt/gateone/server.conf
--cookie_secret Use the given 45-character string for cookie encryption.
--debug Enable debugging features such as auto-restarting when files are modified.
--disable_ssl If enabled, Gate One will run without SSL (generally not a good idea).
--dtach Wrap terminals with dtach. Allows sessions to be resumed even if Gate One is stopped and started (which is a sweet feature).
--embedded Doesn't do anything (yet).
--enable_unix_socket Enable Unix socket support use_unix_sockets (if --enable_unix_socket=True).
--https_redirect If enabled, a separate listener will be started on port 80 that redirects users to the configured port using HTTPS.
--js_init A JavaScript object (string) that will be used when running GateOne.init() inside index.html. Example: --js_init="{scheme: 'white'}" would result in GateOne.init({scheme: 'white'})
--keyfile Path to the SSL keyfile. Will be auto-generated if none is provided.
--kill Kill any running Gate One terminal processes including dtach'd processes.
--locale The locale (e.g. pt_PT) Gate One should use for translations. If not provided, will default to $LANG (which is 'en_US' in your current shell), or en_US if not set.
--new_api_key Generate a new API key that an external application can use to embed Gate One.
--origins A semicolon-separated list of origins you wish to allow access to your Gate One server over the WebSocket. This value must contain the hostnames and FQDNs (e.g. foo;foo.bar;) users will use to connect to your Gate One server as well as the hostnames/FQDNs of any sites that will be embedding Gate One. Here's the default on your system: 'localhost;yourhostname'. Alternatively, '*' may be specified to allow access from anywhere.
--pam_realm Basic auth REALM to display when authenticating clients. Default: hostname. Only relevant if PAM authentication is enabled.
--pam_service PAM service to use. Defaults to 'login'. Only relevant if PAM authentication is enabled.
--port Run on the given port.
--session_dir Path to the location where session information will be stored.
--session_logging If enabled, logs of user sessions will be saved in <user_dir>/<user>/logs. Default: Enabled
--session_timeout Amount of time that a session should be kept alive after the client has logged out. Accepts <num>X where X could be one of s, m, h, or d for seconds, minutes, hours, and days. Default is '5d' (5 days).
--sso_realm Kerberos REALM (aka DOMAIN) to use when authenticating clients. Only relevant if Kerberos authentication is enabled.
--sso_service Kerberos service (aka application) to use. Defaults to HTTP. Only relevant if Kerberos authentication is enabled.
--syslog_facility Syslog facility to use when logging to syslog (if syslog_session_logging is enabled). Must be one of: auth, cron, daemon, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, syslog, user, uucp. Default: daemon
--syslog_host Remote host to send syslog messages to if syslog_logging is enabled. Default: None (log to the local syslog daemon directly). NOTE: This setting is required on platforms that don't include Python's syslog module.
--syslog_session_logging If enabled, logs of user sessions will be written to syslog.
--unix_socket_path Run on the given socket file. Default: /var/run/gateone.sock
--url_prefix An optional prefix to place before all Gate One URLs. e.g. '/gateone/'. Use this if Gate One will be running behind a reverse proxy where you want it to be located at some sub-URL path.
--user_dir Path to the location where user files will be stored.

This setting controls how long API authentication objects will last before they expire if --auth is set to 'api' (default is 30 seconds). It accepts the following <num><character> types:

Character

Meaning

Example

s

Seconds

'60s' ➡ 60 Seconds

m

Minutes

'5m' ➡ 5 Minutes

h

Hours

'24h' ➡ 24 Hours

d

Days

'7d' ➡ 7 Days

Note

If the value is too small clock drift between the Gate One server and the web server embedding it can cause API authentication to fail. If the setting is too high it provides a greater time window in which an attacker can re-use that token in the event the Gate One server is restarted. Important: Gate One keeps track of used authentication objects but only in memory. If the server is restarted there is a window in which an API authentication object can be re-used (aka an authentication replay attack). That is why you want the api_timestamp_window to be something short but not too short as to cause problems if a clock gets a little out of sync.

This option specifies the command Gate One will run whenever a new terminal is opened. The default is for Gate One to run the ssh_connect.py script. Any interactive terminal application should work (e.g. 'nethack').

Optionally, you may provide any mixture of the following %VALUE% variables which will be automatically replaced with their respective values:

%VALUE%

Replacement

Example Value

%SESSION%

User's session ID

MDM1NTQyZmFjZGQzNDE5MGEwN2UxMTY4NmUxYzE3YzI0Z

%SESSION_HASH%

short_hash(session)

ZDmKJQAAAAA

%USERDIR%

user_dir setting

/opt/gateone/users

%USER%

user

user@company.com

%TIME%

timestamp (now)

1346435380577

Additionally,the following environment variables will be set before executing the 'command':

Variable

Example Value

$GO_SESSION

MDM1NTQyZmFjZGQzNDE5MGEwN2UxMTY4NmUxYzE3YzI0Z

$GO_SESSION_DIR

/tmp/gateone

$GO_TERM

1

$GO_USER

user@company.com

$GO_USER_DIR

/opt/gateone/users

Tip

You can write a shell script to wrap whatever program you want to pass it the above variables as command line arguments: /path/to/program--user=$GO_USER

cookie_secret="A45CharacterStringGeneratedAtRandom012345678"# NOTE: Yours will be different ;)

This is a 45-character string that Gate One will use to encrypt the cookie stored at the client. By default Gate One will generate one at random when it runs for the first time. Only change this if you know what you're doing.

Note

If you change this string in the server.conf you'll need to restart Gate One for the change to take effect.

What happens if you change it

All users existing, unexpired sessions will need to be re-authenticated. When this happens the user will be presented with a dialog box that informs them that the page hosting Gate One will be reloaded automatically when they click "OK".

Tip

You may have to change this key at a regular interval throughout the year depending on your compliance needs. Every few months is probably not a bad idea regardless.

This feature is special: It enables Gate One to be restarted (think: upgraded) without losing user's connected sessions. This option is enabled by default.

If dtach support is enabled but the dtach command cannot be found Gate One will output a warning message in the log.

Note

If you ever need to restart Gate One (and dtach support is enabled) users will be shown a message indicating that they have been disconnected and their browsers should automatically reconnect in 5 seconds. A 5-second maintenance window ain't bad!

This option tells Gate One which local translation (native language) to use when rendering strings. The first time you run Gate One it will attempt to automatically detect your locale using the $LANG environment variable. If this variable is not set it will fall back to using en_US.

Note

If no translation exists for your local the English strings will be used.

If you see unknown origins the logs it could be an attacker trying to steal your user's sessions! The origin that appears in the log will be the base URL that was used to connect to the Gate One server. This information can be used to hunt down the attacker. Of course, it could just be that a new IP address or hostname has been pointed to your Gate One server and you have yet to add it to the --origins setting ☺.

This command line option will generate a new, random API key and secret for use with applications that will be embedding Gate One. Instructions on how to use API-based authentication can be found in the Embedding Gate One Into Other Applications.

If --auth is set to "pam" Gate One will present this string in the BASIC auth dialog (essentially, the login dialog will say, "REALM: <pam_realm>"). Also, the user's directory will be created in --user_dir as user@.

If you set --uid and/or --gid to something other than "0" (aka root) Gate One will drop privileges to that user/group after it starts up. This will allow the use of ports under 1024 while still maintaining reasonable security by running as a user/group with lesser privileges.

This setting controls how long Gate One will wait before force-killing a user's disconnected session (i.e. where the user hasn't used Gate One in, say, "5d"). It accepts the following <num><character> types:

Character

Meaning

Example

s

Seconds

'60s' ➡ 60 Seconds

m

Minutes

'5m' ➡ 5 Minutes

h

Hours

'24h' ➡ 24 Hours

d

Days

'7d' ➡ 7 Days

Note

Even if you're using --dtach all programs associated with the user's session will be terminated when it times out.

If set to 'required' or 'optional' this setting will instruct Gate One to authenticate client-side SSL certificates. This can be an excellent added layer of security on top of Gate One's other authentication options. Obviously, only the 'required' setting adds this protection. If set to 'optional' it merely adds information to the logs.

This option tells Gate One to send logs of user sessions to the host's syslog daemon. Special characters and escape sequences will be sent as-is so it is up to the syslog daemon as to how to handle them. In most cases you'll wind up with log lines that look like this:

This specifies the URL path Gate One will live when it is accessed from a browser. By default Gate One will use "/" as its base URL; this means that you can connect to it using a URL like so: https://mygateone.company.com/

That "/" at the end of the above URL is what the url_prefix is specifying. If you wanted your Gate One server to live at https://gateone.company.com/gateone/ you could set url_prefix="/gateone/".

Note

This feature was added for users running Gate One behind a reverse proxy so that many apps (like Gate One) can all live behind a single base URL.

Tip

If you want to place your Gate One server on the Internet but don't want it to be easily discovered/enumerated you can specify a random string as the gateone prefix like url_prefix="/fe34b0e0c074f486c353602/". Then only those who have been made aware of your obfuscated URL will be able to access your Gate One server (at https://gateone.company.com/fe34b0e0c074f486c353602/ ☺)